duongkame commented on code in PR #4389:
URL: https://github.com/apache/ozone/pull/4389#discussion_r1141226466
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java:
##########
@@ -754,8 +776,48 @@ private void instantiateServices(boolean withNewSnapshot)
throws IOException {
}
volumeManager = new VolumeManagerImpl(metadataManager);
bucketManager = new BucketManagerImpl(metadataManager);
+ S3SecretStoreType type = S3SecretStoreType.fromName(
+ configuration.get(S3_SECRET_STORAGE_TYPE,
DEFAULT_SECRET_STORAGE_TYPE));
+ S3SecretStore store;
+ S3SecretCache cache;
+ switch (type) {
+ case HASHICORP_VAULT:
+ S3RemoteSecretStoreBuilder builder = S3RemoteSecretStore.builder()
Review Comment:
The config extraction and construction of Vault Secret store and cache
should be moved out of `OzoneManager`, which is too complex and already
responsible for many things.
e.g. `S3RemoteSecretStoreBuilder` should know how to build from config.
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/s3http/vault/S3RemoteSecretStore.java:
##########
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.ozone.om.s3http.vault;
+
+import com.bettercloud.vault.SslConfig;
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultConfig;
+import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.response.LogicalResponse;
+import org.apache.hadoop.ozone.om.S3Batcher;
+import org.apache.hadoop.ozone.om.S3SecretStore;
+import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
+import org.apache.hadoop.ozone.om.s3http.vault.auth.Auth;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Collections;
+
+/**
+ * Based on HashiCorp Vault secret storage.
+ * Documentation link {@code https://developer.hashicorp.com/vault}.
+ */
+public class S3RemoteSecretStore implements S3SecretStore {
+ private static final Logger LOG =
+ LoggerFactory.getLogger(S3RemoteSecretStore.class);
+
+ private final VaultConfig config;
+ private Vault vault;
+ private final String secretPath;
+ private final boolean reAuth = true;
+ private final Auth auth;
+
+ public S3RemoteSecretStore(String vaultAddress,
+ String nameSpace,
+ String secretPath,
+ int engineVersion,
+ Auth auth,
+ SslConfig sslConfig) throws IOException {
+ try {
+ config = new VaultConfig()
+ .address(vaultAddress)
+ .engineVersion(engineVersion)
+ .nameSpace(nameSpace)
+ .sslConfig(sslConfig)
+ .build();
+
+ this.auth = auth;
+ vault = auth.auth(config);
+ this.secretPath = secretPath;
+ } catch (VaultException e) {
+ throw new IOException("Failed to initialize remote secret store", e);
+ }
+ }
+
+ private void auth() {
+ try {
+ vault = auth.auth(config);
+ } catch (VaultException e) {
+ LOG.error("Failed to s3 secret store auth", e);
+ }
+ }
+
+ @Override
+ public void storeSecret(String kerberosId, S3SecretValue secret)
+ throws IOException {
+ try {
+ LogicalResponse s3Secret = vault.logical()
+ .write(secretPath,
+ Collections.singletonMap(kerberosId, secret.getAwsSecret()));
+ System.out.println(s3Secret.getData());
Review Comment:
This should be removed.
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/s3http/vault/S3RemoteSecretStore.java:
##########
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.ozone.om.s3http.vault;
+
+import com.bettercloud.vault.SslConfig;
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultConfig;
+import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.response.LogicalResponse;
+import org.apache.hadoop.ozone.om.S3Batcher;
+import org.apache.hadoop.ozone.om.S3SecretStore;
+import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
+import org.apache.hadoop.ozone.om.s3http.vault.auth.Auth;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Collections;
+
+/**
+ * Based on HashiCorp Vault secret storage.
+ * Documentation link {@code https://developer.hashicorp.com/vault}.
+ */
+public class S3RemoteSecretStore implements S3SecretStore {
+ private static final Logger LOG =
+ LoggerFactory.getLogger(S3RemoteSecretStore.class);
+
+ private final VaultConfig config;
+ private Vault vault;
+ private final String secretPath;
+ private final boolean reAuth = true;
+ private final Auth auth;
+
+ public S3RemoteSecretStore(String vaultAddress,
+ String nameSpace,
+ String secretPath,
+ int engineVersion,
+ Auth auth,
+ SslConfig sslConfig) throws IOException {
+ try {
+ config = new VaultConfig()
+ .address(vaultAddress)
+ .engineVersion(engineVersion)
+ .nameSpace(nameSpace)
+ .sslConfig(sslConfig)
+ .build();
+
+ this.auth = auth;
+ vault = auth.auth(config);
+ this.secretPath = secretPath;
+ } catch (VaultException e) {
+ throw new IOException("Failed to initialize remote secret store", e);
+ }
+ }
+
+ private void auth() {
Review Comment:
Is this method used at all?
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OmMetadataManagerImpl.java:
##########
@@ -293,6 +295,8 @@ public class OmMetadataManagerImpl implements
OMMetadataManager,
private Map<String, Table> tableMap = new HashMap<>();
private List<TableCacheMetrics> tableCacheMetrics = new LinkedList<>();
+ private TableCache<CacheKey<String>, CacheValue<S3SecretValue>>
s3SecretCache;
Review Comment:
I don't think the secret cache needs to be coupled with the secret store
implementation. Just using the `S3ImMemoryCache` for both caches is good
enough. At the end of the day, they're just im-memory cache.
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/s3http/vault/auth/AuthType.java:
##########
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.ozone.om.s3http.vault.auth;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.ozone.om.s3http.S3SecretStoreConfigurationKeys;
+
+import static
org.apache.hadoop.ozone.om.s3http.S3SecretStoreConfigurationKeys.APP_ROLE_ID;
+import static
org.apache.hadoop.ozone.om.s3http.S3SecretStoreConfigurationKeys.APP_ROLE_PATH;
+import static
org.apache.hadoop.ozone.om.s3http.S3SecretStoreConfigurationKeys.APP_ROLE_SECRET;
+import static
org.apache.hadoop.ozone.om.s3http.S3SecretStoreConfigurationKeys.AUTH_TYPE;
+
+/**
+ * Type of authentication method.
+ */
+public enum AuthType {
+ APP_ROLE("appRole"),
+ TOKEN("token");
+
+ private final String name;
+
+ AuthType(String name) {
+ this.name = name;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public static Auth fromConf(Configuration conf) {
+ AuthType authType = AuthType.valueOf(conf.get(AUTH_TYPE));
+ switch (authType) {
+ case TOKEN:
+ String token = conf.get(S3SecretStoreConfigurationKeys.TOKEN);
Review Comment:
Just to clarify, in this mode, can we use a fixed token to talk to the
vault? What does the token renewal process look like?
I guess the use of `Supplier` in `DirectTokenAuth` indicate a future
improvement in this area. If so, please put a comment with JIRA for the
improvement.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
